Part 2: How Boards Can Ask Better Questions About Fraud And Corruption Risk

Technical Staff | April 15, 2026

Boards typically ask if controls, policies, training, and reporting channels exist. But these broad questions rarely reveal true fraud and corruption risk. To uncover real exposure, boards must ask where controls fail under pressure, who can override them, and what repeated exceptions are classified as isolated.

Many boards fall short here. They accept polished summaries, few whistleblowing reports, high training rates, and closed audit findings, then confuse activity with protection. Boards must demand real oversight and push past comfort.

Three questions expose the real picture.

First, where can senior pressure weaken control discipline in practice, even if policy says otherwise? This question tests whether urgent payments, hiring decisions, vendor onboarding, commissions, or executive expenses can be pushed through informally. 

Ask management to identify the five business areas where fraud and corruption risk rise fastest under pressure, and require a short report on retroactive approvals and unresolved exception root causes from the last reporting period.

Second, what patterns exist across exceptions, overrides, and repeat findings? One exception may be explainable. Repeated exceptions in the same function, geography, or management chain are evidence of exposure — not coincidence. 

Ask internal audit which weaknesses keep recurring, even when they are labeled differently across cycles. That pattern is where the real risk lives.

Third, does low reporting reflect integrity or fear? A low number of complaints or whistleblowing reports may signal trust in the institution. It may equally signal silence, fear of retaliation, or the belief that reporting leads nowhere. Boards that do not test this assumption are governing blindly. 

Ask management to clarify where informal influence can shape outcomes despite formal controls, and ask directly why staff should trust the system.

Stop rewarding vague assurance. If management claims controls work, ask where they fail. If management denies major issues, ask which early warning signs are ignored.

Boards do not enhance oversight by asking whether safeguards exist; they do so by assessing whether those safeguards remain effective under pressure, power, and commercial urgency.

If these questions do not make management uncomfortable, the board is still too far from the risk.